#dev 2021-05-10

2021-05-10 UTC
samwilson, [jeremycherfas], ytqb[m], vilhalmer and ShadowKyogre joined the channel; ShadowKyogre left the channel
#
@AndreJaenisch
↩️ Wait. hentry? WebMention support? Or only microformats? (Which would be great on its own) To answer the question: IndieWeb!
(twitter.com/_/status/1391650750493827073)
ShadowKyogre, [KevinMarks], samwilson, [dianoetic_net], [jeremycherfas], shoesNsocks and sparseMatrix joined the channel
#
sparseMatrix
so what's the best OAUTH2 provider library for doing microformat stuffs with python?
#
sparseMatrix
I'm looking at AuthLib
#
sparseMatrix
errr, Authlib
#
sparseMatrix
I'm wondering if maybe I could just integrate something like this into my environment: https://github.com/bbc/nmos-auth-server
#
sparseMatrix
it's based on Authlib
#
Loqi
[bbc] nmos-auth-server: AMWA NMOS BCP-003-02 Authorisation Server
#
sparseMatrix
I have done the JWT thing before, but not necessarily via an OATH workflow
#
sparseMatrix
I had some phone-home devices I set up 'dialing up' the mothership for purposes of accessing an api
#
@omc345
I finally set it up Webmentions with the help of @jkup's awesome post and repository. It's time to make it count! https://jonkuperman.com/gatsby-webmentions/
(twitter.com/_/status/1391776752477802497)
jeremych_, [jacky] and [KevinMarks] joined the channel
[tantek] joined the channel
#
[KevinMarks]
a pushback against what3words, which is full of flaws
#
[tantek]
and their fragile JS is broken on FF so meh
shoesNsocks and tomlarkworthy joined the channel
#
tomlarkworthy
Is the backlink from Github profile strictly necissary to login someone?
#
tomlarkworthy
If I am user https://tom.com/ with a rel=me link to https://github/tom. Then to login as https://tom.com/ I can just take https://tom.coms word?
#
tomlarkworthy
like if the github authenticates the nominated profile user then thats basically the same as having an indie_auth link to the github oauth endpoint
#
aaronpk
here's an attack on that: I can create a page not-tom.com with a rel=me link to github.com/tom, then trick tom in to visiting a link that starts the flow with not-tom.com, and since tom is logged in to github, he'd be logged in to the app as not-tom.com
#
[tantek]
only a little worried what those domains resolve to 😬 — please use (not-)tom.example.com next time :)
#
tomlarkworthy
its not an attack. I can create not-tom.example.com and have an authorization_endpoint that auto logins in for anybody, then we are in the same position, real tom is logged into the app as not-tom.example.com after being tricked
#
aaronpk
i guess that's what .example is for too
#
tomlarkworthy
critically I am not logged into the app as tom.example.com. Also the indielogin.com does summerize what is about to happen for this kind of reasons anyway
#
tomlarkworthy
an indieauth endpoint does not require backlinks, it clearly is not totally necissary, though there is obvious value to having bidirection trust as its symettric, but for the puposes of login you only need it one way really.
#
aaronpk
i thought there was another reason that [tantek] wrote up in the original RelMeAuth but now i can't find it
#
tomlarkworthy
I am jsut trying to simplify things and the fact github only allows one homepage is annoying
#
aaronpk
indielogin.com checks the github bio for additional links
#
[tantek]
the bidirectional links also help as guard rails. to make it easier to detect and communicate user error, in a manner that enables the user to repair their error
#
tomlarkworthy
2 of 2 users I have so far talked to had an incompatible homepage already intheir github profile, so I think in practice this gets in the way, especially as Github only allows one link.
#
[tantek]
for example, someone with multiple identities and respective github or other OAuth endpoints, could mistakenly login in as one somewhere where they intended to login as another if there was only a "simple" check of "do they have the logged in cookie on that thing over there"
#
tomlarkworthy
but yeah, good workaround with profile scanning
#
[tantek]
yeah the experience around here has been quite the opposite, most folks when they show up already have their personal site as the GitHub website
#
[tantek]
and they typically also already have a link from their personal site to their GitHub profile (because that's a common UX, typically with an icon)
#
tomlarkworthy
yeah this was the case for me
#
[tantek]
so "all" they have to do is add "rel=me" to that link on their home page and they're done
#
[tantek]
literally easier than any other distributed/federated identity system on the web or even proposed
#
tomlarkworthy
yeah its good. Thats why I am here :)
#
tomlarkworthy
but not having backlinks for silo oauth providers is even easier.
#
tomlarkworthy
I don;t see a great reason for the backlinks here
#
[KevinMarks]
locus.plus does need js as it's calling the location api, though it may barf if you're not in the uk when it does the grid conversion
#
tomlarkworthy
BTW I ban http homepages becuase of MITM risks so Tantek's would not work with auth server.
#
tomlarkworthy
this was 1 reason why I could not accept 1 of my users homepage
#
tomlarkworthy
you can;t trust a http site so in my mind it is not a suitable substrate for login
#
[KevinMarks]
is there an MITM risk from your server side? That's usually only a significant issue for client side
#
aaronpk
there's a risk but it's very low
#
tomlarkworthy
well it really depends where the user's webpage is hosted.
#
tomlarkworthy
several governements are known to MITM their citizens
#
aaronpk
as soon as you are concerned about government attacks you have to do better than public CA SSL too
#
tomlarkworthy
just seems strange to put so much faith in DNS and then not secure the comms to those named servers with https
#
aaronpk
SSL is already trivially broken on corporate networks
#
aaronpk
so, as always, it depends on your threat model and what you are trying to protect against
#
tomlarkworthy
yeah I guess the main vector is coffee shop wifi attacks but this is not an issue with server-to-server verification
#
[tantek]
huh? what would mine not work with what server?
#
tomlarkworthy
sorry my auth server does not accept http
#
tomlarkworthy
oh funny I clicked your name here and it directs to http version of your site
#
tomlarkworthy
I can't find evidence of SSL being broken (without installing custom certs or throwing errors in the browser)
#
aaronpk
yes, on devices managed by a company, the IT department can push custom root certs to the machine, then they can sign a cert for any domain that the computer will trust. this happens all the time, and the end user won't even be aware of it
#
tomlarkworthy
yeah thats a custom cert.
#
aaronpk
yes, i'm saying it's something the user isn't necessarily aware of and requires no action on their part
#
tomlarkworthy
it does they have to use a corporate issued device that is not theirs
#
aaronpk
or a personal device that they enrolled in the corporate management system
#
tomlarkworthy
thats an action
#
aaronpk
yes, either: take an action (once) on their personal device, or no action on a corporate device
#
[tantek]
both are very easy for folks to forget they've done
#
[tantek]
in what UI did you "click on my name here"?
#
tomlarkworthy
"https://chat.indieweb.org/"
#
tomlarkworthy
kevinmarks too goes to http
#
tomlarkworthy
aaronpk goes to https
#
[tantek]
very odd
#
aaronpk
i mean it's just pulling from https://indieweb.org/chat-names
#
tomlarkworthy
HSTS headers?
#
tomlarkworthy
yeah the actual link is "http://aaronparecki.com/"
#
[tantek]
aaronpk, chat-names doesn't specify http or https for your personal domain
#
[tantek]
so some other code somewhere is making an assumption there
#
aaronpk
oh really
#
[tantek]
the only explict http(s) is for the icon
#
aaronpk
my http redirects to https
#
[tantek]
maybe that's a coincidence that you use https for your icon and I don't (editing now)
#
tomlarkworthy
yeah it is going to http for aaronpk
#
[tantek]
should it though? do we still allow http: IndieAuth logins on the wiki? (we used to right?)
#
aaronpk
i'm pretty sure indielogin.com will accept an http url
#
tomlarkworthy
yes there was some complex upgrade logic I decided not to prot and jsut accept only https
#
tomlarkworthy
not to port
[dianoetic_net] and [tw2113_Slack_] joined the channel
#
tomlarkworthy
oh that was indeiauth.com sorry. Some InsecureRedirectErrors
#
tomlarkworthy
'indielogin.com will handle the case of users entering a insecure HTTP URI and "upgrading"/redirecting it to a HTTPS one; IIRC. It's been an issue mentioned before in here.' Maybe old though
#
Loqi
[jalcine] On Saturday, 15 December 2018 01:20:32 PST fluffy wrote: > It would be nice to reduce the barrier to entry by allowing people to log in > using the identity from the service itself, rather than needing to set up a > profile page with the correct `...
sparseMatrix joined the channel
#
sparseMatrix
I've been reading the (propsed) spec here: https://www.w3.org/TR/indieauth/#authentication for most of the day. If this is the working spec, it does say that http should be upgraded to https by the client
#
sparseMatrix
It's also fairly permissive of redirects
#
sparseMatrix
and document URI, vs strictly canonical domains, e.g., 'https://someplace.com/joe.user/joes-hcard.html'
#
sparseMatrix
cool, I'll switch over to that @aaronpk
#
sparseMatrix
and thanks :D
#
[tantek]
point being the links to people in the chat archives could be https
#
[tantek]
sparseMatrix, you may want to use example.com for example URLs as even "made-up" examples likely link somewhere you don't intend to
#
vilhalmer
anyone have a python rss generation library they like? rfeed seems good given that rss hasn't changed much recently, but figured I'd check
[KevinMarks] joined the channel
#
[KevinMarks]
I've done it with jinja2, but that isn't naturally xml compliant
#
[KevinMarks]
See what granary uses
[snarfed] joined the channel
#
[snarfed]
granary uses https://feedgen.kiesow.be/ . it’s…fine
#
vilhalmer
fine is about all I could ask for, heh
[girrodocus] and [dianoetic_net] joined the channel
#
[dianoetic_net]
I have webmentions displaying 💃
#
[dianoetic_net]
Have we got anything for sending to Bridgy using GitHub actions? Or will I have to get scripty
[Jeremy_Keith] joined the channel
#
[snarfed]
it’s an HTTP POST, `curl -d ...' will do it
#
[snarfed]
(and congrats on wms!)
samwilson and [chrisaldrich] joined the channel
#
[dianoetic_net]
Thanks! I'll have to find a way to grab the right URL to send I suppose.
#
[dianoetic_net]
I guess I could IFTTT but somehow that feels like admitting defeat...